Users are unable to connect to remote access VPN

Our users are unable to connect to the VPN at certain times of the day. Users have laptops with Windows 7 and Windows 10 OS. The headend is a Cisco 5540 ASA.
Authentication is done with Certificates that are stored on a smart card that must be inserted into the laptop and accessed with a PIN.  
This is affecting users with both Anyconnect version 4.3 and 4.5. The smart card reader software is ActivClient ActivID version 7.1.0
The error message that the users get is Certificate Validation failed


I have taken DART logs from a connection attempt that was successful and from one that failed. These are both attempts after logging into windows so the user cert store should be available
I tried to cut them to the point where they start to differ
  Below is the successful attempt

******************************************

Date        : 05/17/2018
Time        : 21:38:46
Type        : Information
Source      : acvpnui

Description : Function: ConnectMgr::processResponseString
File: ConnectMgr.cpp
Line: 10815
Client certificate requested by peer (via AggAuth)


******************************************

Date        : 05/17/2018
Time        : 21:38:47
Type        : Error
Source      : acvpnui

Description : Function: CTransportWinHttp::SendRequest
File: CTransportWinHttp.cpp
Line: 1256
Invoked Function: HttpSendRequest
Return Code: 12044 (0x00002F0C)
Description: A certificate is required to …

I am wanting to set a user up with a roaming profile. they have a surface they use at the office. When they are out they vpn in to connect to resources. I am setting them up a hyper v machine that I want to look and feel like there current desktop. Any ideas on this one.

user trying to access an internal system via chrome, system is hosted on Azure VM, VPN set up to connect to server from HQ. User is in another location which has a VPN tunnel connected to HQ. The other location has no VPN tunnel to the Azure server, this is not possible.

System can be accessed externally using normal web address however because the user is in an location that is connected to HQ via the VPN chrome is trying to use the VPN tunnell to connect.

Can a batch file be created to route the traffic for this address out through the internet connection instead of the VPN tunnel

Hi ,

we have subsidiary company with around 150 Users . it is linked to us (HO ) over IPVPN (1 MB)  and services getted from Us are :

1- CISCO IP telephone ( currently around 75 Users)
2- ERP ( about 50 USers)

thier existign Setup :

1- Domain COntroller ( seprate totally from us ) + Antivirus server ( 1 physical box)
2-finance system
3-Backup Server
4-Sonicwall NSA2600
5-Switches
7-Router for IPVPN

the managment is thinking to host the setup for the subsidary company so my questions are:

1- how I can do the proper sizing for the link ? so i ensure the users are not feeling slowness
2-what equipment should i move from there and what i should not ? best desing fro myour experince
3- how the internet should be provided to thier users ? from us or locally ?
4- what are the adv and disadvanage for such plan? should we recommend this plan or let them continue as they are
5- risks?
6- what are the pre requisits needed in the HO Data Center for hosting those equipment

We have a Windows 10 Pro box with two network interface cards.

We have one application we would like to run normally, as you would any application in Windows.

We have another application that must to be run through a VPN.

The computer can accommodate both however it is not strong enough to run a VM to separate them.

Is there a program or setting to run one application through one card and one application with the VPN through the other card?

It seems that the documentation about IPsec/IKE setup on an SRX to Azure s2s VPN is conflicting.  There are 3 pain points:

1.  Can IPsec/IKE be used on a policy-based VPN for Azure? It seems that Azure is clear about "no" but the suggested Azure config includes IPsec & IKE config
2.  Which IKE version is best for SRX to Azure - v1 or v2, when using Policy Based or Route-Based VPN? (see attachment)
3.  If a trust sec zone (internal interf.) and an unstrust sec. zone (exter. interf.) already exists, how can I add interfaces that are in one of those zones already to a new "Internal & Internet Zone" for the Azure VPN Tunnel as documentation suggests?  I receive an SRX error about adding interfaces to multiple zones prohibited and if using PB VPN there is no st0.x to that config and/or I don't understand how to utilize or place the traditional interface under the st0.x iface.

SRX ERROR:

commit check
[edit security zones security-zone Internal]
  'interfaces ge-0/0/1.0'
    Interface ge-0/0/1.0 already assigned to another zone
error: configuration check-out failed



I found this on Azure's site - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell



juniper-no-ikev2.png

PPTP VPN on Linux Mint won't connect to Windows Server 2016 server. Windows 10 will connect PPTP both externally and internally. Linux fails with an error saying "VPN disconnected because the VPN service stopped"
Server 2016 VPN is set to use MSCHAPv2 only.
WIndows 10 connects when set to use MSCHAPv2 only.

Any help with resolving issue with S2S AZURE VPN <<to>> on prem SRX would be greatly appreciated.  I think that the issue is w/the SRX config because I am not even seeing successful completion of phase 1.  Also, when entering the config I received several "commit failures", although I made changes to get a successful commit I had to make several changes to the config for the SRX - PLEASE HELP!!!!

AZURE CONFIG DETAILS:

Active-Standby VPN gateway (single public IP address)

/Data/VNG_GATEWAYIP   = 40.114.24.XX

!     Active-Active VPN gateway (2 public IP addresses)

/Data/VNG_GATEWAYIPS/IpAddress/IP = 40.114.24.XX

! [3] Public IP address of the on-premises VPN device

/Data/LNG_GATEWAYIP   = 50.205.245.XX

! [4] VNet address prefixes: a list of all VNet address prefixes in different formats

/Data/VnetSubnets/Subnet/SP_NetworkIpRange = 10.30.0.0
  SP_NetworkSubnetMask   = 255.255.0.0
  SP_NetworkWildcardBits = 0.0.255.255
  SP_NetworkCIDR         = 10.30.0.0/16
  SP_TunnelName          = SP_TunnelName

! [5] On-premises address prefixes: a list of all on-premises address prefixes defined in LNG

/Data/OnPremiseSubnets/Subnet/SP_NetworkIpRange = 192.168.20.0
  SP_NetworkSubnetMask   = 255.255.255.0
  SP_NetworkWildcardBits = 0.0.0.255
SP_NetworkCIDR         = 192.168.20.0/24
  SP_TunnelName          = SP_TunnelName


SRX CONFIGURATION:

<style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 19.0px; …

Hello everyone :)
I have several employees in several states that are currently not connected via VPN. I need to access your computers for my help desk team to act on requests but I do not want to use Team Viewer. The access will do across internet. What would be the best Microsoft strategy in this case, without using VPN? RD Gateway? DirectAccess?

In our datacenter we have a ASA pair (failover active/standby) which are connected to 2 ISP's. We are currently migrating from ISP1 to ISP2 and are using Policy Based Routing (PBR) on the ASA to make the transition smooth. We can pace the migration and move services step by step to the new ISP.

Everything seems to be working pretty well with PBR except for a problem with some site-to-site VPN-connections. We have a couple of site-to-site connections coming in on the ASA, for some we have access to both endpoints, for others the endpoint is managed by a third party. So originally the site-to-site connections are terminated by the ASA on ISP1, the remote end is connecting to the WAN IP of ISP1. To migrate we want to terminate the VPN on ISP2 on the ASA. So we reconfigure the remote endpoint to connect to the WAN IP of ISP2.

During the migration we use ISP1 as default (lowest metric in static route). With PBR we make sure that VPN traffic from and to ISP2 is routed correctly.

For Site-REMOTE1 and site-REMOTE2 this is working flawlessly, the remote endpoints are now connecting via ISP2 and are setting up a tunnel where we can see traffic TX and RX on both endpoints. Services at both ends working and tunnel is functioning.

For Site-REMOTE3 we see incoming and outgoing traffic on the ASA in the datacenter, but the remote endpoint is not receiving traffic (RX = 0). The tunnel is online and counter for RX datacenter ASA = counter TX REMOTE ASA.


If I switch …

Hi Guys

I am looking for the experts in the security field that could help me with this one.
What would be the pros and cons when it comes to open source firewalls and commercial firewalls?

IE support / costs etc.

What would be the best to use, that would be compatible with Azure VPN Route base and policy based routing for site to site / remote branch connectivity?

Using a Cisco Miraki VPN to access a windows 2012 R2 server shared drives. User is in China and the VPN works but he cannot access the shared drives. He has permissions and i set up a PC here locally and was able to access shared drives through VPN. Why cant he access them from China?

I have setup a test computer and installed a 180 day copy of Windows Server 2016 Essentials. I am learning about vpn setup in Server. During the setup process I created a local domain name and a self signed certificate. I got a message about ports 443 and 80 being blocked. I setup port forwards and after checking aging there was no error. I have attempted to connect to this vpn but have been unable to do so using Win7 vpn and Win10 vpn. I can connect to it on my LAN but this is the only way. I have read lots of pages but none of them have gotten me where I would like to be. My internet service provides a dynamic address. I know this can be a problem but the address has not changed throughout my testing. I am not using a business class router. In the information I read I kept seeing comments about an automatic router setup in the Anywhere Access setup. I never saw this. I will answer your comments to the best of my ability.